1. Technical Field
This application generally relates to the field of user account information and, in particular, to an extensible framework for communicating over a firewall with a software application regarding its user accounts.
2. Background Information
A software application that requires a person to log in to an account maintains information regarding each account. Assuming that each person has a separate account, this account information (sometimes referred to as a “user profile”) includes, for example, the person's user name, the person's password (or other authentication information), the person's real name, the person's email address, groups of which the person's account is a member, permissions or settings associated with the person's account, and past activity of the person's account. The account information is accessed to manage the accounts, such as provisioning (e.g., creating or activating) an account, deprovisioning (e.g., deactivating or deleting) an account, modifying a user profile, and performing a mass user import (e.g., provisioning many accounts for many different people in a batch process). The account information is also accessed to perform delegated authentication. For example, a user name and password provided by a user can be sent to the application, and the application can determine whether the user name and password are valid (e.g., whether they match a particular user profile).
A particular corporate device user (e.g., an employee, customer, partner, or contractor) often makes use of several software applications, each of which requires a user to log in to an account. Usage of multiple applications by the same user often requires multiple accounts, leading to a proliferation of user accounts and user profiles. As mentioned above, account information is accessed to manage the accounts and to perform delegated authentication. Often, each software application offers a different interface (e.g., a different application programming interface (API)) for accessing its account information. Communicating with several different applications regarding their account information using the various interfaces is very time-consuming for a company's Information Technology (IT) department.
One solution is to use a third-party service to communicate with the software applications regarding their account information. However, it can be a security risk to allow a machine located outside the company's firewall (executing the third-party service) to communicate with a machine located inside the company's firewall (executing an on-premise application). Also, the machine located outside the company's firewall (executing the third-party service) still needs to use different interfaces to communicate with different on-premise applications.